Systems and methods for generating signatures

ABSTRACT

System and method for digitally signing messages using multi-party computation.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.16/983,216, filed 3 Aug. 2020, which claims the benefit of U.S.Provisional Application No. 62/881,729, filed 1 Aug. 2019, U.S.Provisional Application No. 62/881,711, filed 1 Aug. 2019, and U.S.Provisional Application No. 62/946,912, filed 11 Dec. 2019, which areeach incorporated herein in its entirety by this reference.

TECHNICAL FIELD

This invention relates generally to the cryptocurrency field, and morespecifically to a new and useful system and method for generatingsignatures.

BACKGROUND

Several cryptocurrency protocols requiring signing of transactions foroperations related to management of a cryptocurrency protocol. Suchtransactions are typically separate from transactions for transfer ofcryptocurrency assets. Ordinarily, a private key is used to sign suchtransactions. However, accessing and using such a private key fortransaction signing can increase the likelihood of the private key beingaccessed by an unauthorized entity.

There is a need in the computer networking field to create a new anduseful systems and methods for secure signing of transactions. Thisdisclosure provides such new and useful systems and methods.

BRIEF DESCRIPTION OF THE FIGURES

FIG. 1 is schematic representations of a system, in accordance withvariations.

FIGS. 2A-D are representations of a method, in accordance withvariations.

FIG. 3 is a representation of a method, in accordance with variations.

FIG. 4 is a representation of a method, in accordance with variations.

FIG. 5 is a representation of a system, in accordance with variations.

FIG. 6 is a representation of an exemplary key allocation flow, inaccordance with variations.

FIG. 7 is a representation of an exemplary signing flow, in accordancewith variations.

FIG. 8 is a representation of a key generation flow for a single messagesigning key and participant set, in accordance with variations.

FIG. 9 is a representation of a message signing flow for a singlemessage, using a single message signing key, in accordance withvariations.

FIG. 10 is a representation of a proactive secret sharing, in accordancewith variations.

FIG. 11 is a flowchart representation of an example of the method.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

The following description of embodiments is not intended to limit theclaims to these embodiments, but rather to enable any person skilled inthe art to make and use embodiments described herein.

1. Overview.

The method for distributed signature generation functions to restrictinformation about a private key, such that the private key does not needto exist in the clear outside of key generation. The system and methodenables cryptographic signature generation with t of n participantswithout requiring the signing private key to be in the clear (e.g.,reconstituted) for signing.

All or portions of the method can be performed by a remote computingsystem, a local participant system, a combination thereof, and/or anyother suitable system. Communications between systems can be: signed(e.g., with a private key of an asymmetric key pair, with a symmetrickey), encrypted, and/or otherwise authenticated and/or secured.

In some variations, a quorum of signers (t of n) must collaborate toproduce a valid signature, and no malicious group of adversaries cangain useful information about the private key without access to at leastt signers and key-share ciphertext. In some variations, asynchronoussigning is provided, where signers can be offline by default, and comeonline only when there is an action to take. Variations leverage atrusted key generation and key-share issuance ceremony to distributesecrets to signers, as well as an online centralized server to manageprotocol state. In some variations, signing-keys (e.g., private keys)are generated in an off-line key generation ceremony.

In some variations, a signing system (e.g., 110 shown in FIG. 1 ) isused to sign transactions. In some variations the signing systemincludes at least one of: an application programming interface (API)system (e.g., 113); an issuer system (e.g., 111); a message signingsystem (e.g., 112); and at least one participant system (e.g., 114 a-c).

In some variations, the method (e.g., 200 shown in FIG. 2A) includes atleast one of: generating a private key (e.g., S210); generating signingsecrets by using the generated private key (e.g., S220); and processinga signing request by using the stored signing secrets (e.g., S230). Insome implementations, at least one component of the signing system(e.g., 110) performs at least a portion of the method (e.g., 200).

In one example, the method can include: at an issuer system, generatinga signing key (message signing key), splitting the signing key intosecret shares encrypted to different participants, and uploading theencrypted secret shares to a message signing system. To sign a message,the method can include: with a first quorum of participants, generatinga nonce for a message to be signed (e.g., using a distributed keygeneration method) based on the respective secret shares, splitting thenonce into nonce shares encrypted to different participants, anduploading the encrypted nonce shares to the message signing system; andat each of a second quorum of participants, generating a partialsignature from the nonce shares encrypted to the respective participant,and uploading the partial signature to the message signing system; thepartial signatures are then aggregated into a signature that verifiesunder the aggregate public key (PK) (e.g., by a participant, the messagesigning system, etc.), wherein the message can be signed with thesignature and optionally sent to the respective blockchain network. Eachparticipant of the first quorum can generate the nonce, a partial nonce,or other datum that is subsequently split, encrypted, and uploaded.Generating the partial signature can include, at each participant of thesecond quorum: downloading and decrypting the nonce shares that areencrypted to them; downloading and decrypting the signing key sharesthat are encrypted to them; optionally verifying the validity of allencrypted data; combining the decrypted nonce shares into a single nonceshare; and creating the partial signature using the key and nonce share.This example can be coordinated by the message signing system, which canfunction as shared data storage and state machine coordinator, and canbe blind to the private signing key and/or nonce values.

In a second example, the method includes generating a signing key sk andsplitting sk into key shares using a t of n splitting construction; ateach participant system of a first quorum of at least t participants,generating a nonce r_(i) based on randomness and a key share andsplitting the nonce into nonce shares using the same t of n splittingconstruction; at each participant system of a second quorum of at leastt participants, retrieving a key share and nonce shares of the at leastt nonces (from the first quorum), generating an aggregate nonce, andgenerating a partial signature based on a message, the key share, andthe aggregate nonce; and reconstructing a signature for the messagebased on the at least t partial signatures.

2. Benefits.

This method can confer several benefits over conventional systems andmethods.

First, messages (e.g., cryptocurrency transactions) can be signedwithout exposing a private key of a cryptocurrency wallet. Instead, theprivate key is split into shares, the shares are used to generatepartial signatures, and the partial signatures are combined to generatea signature for the message. The systems generating the partialsignatures do not need access to the complete private key, and thesystem combining the partial signatures does not need to access eitherthe shares of the private key or the complete private key to generate afull signature for the message.

Second, messages can be signed by using on-line systems. Since thecomplete private key is not needed to sign the message, signing can beperformed by on-line systems that have access to shares of the privatekey, or partial signatures. There is no need to reconstruct the privatekey in a secure, off-line environment to perform signing. This furtherenables the private keys to be reused for multiple signatures.

Third, security can be improved by distributing the signing processamong a plurality of systems, rather than entrusting signing to a singletrusted system.

Fourth, variants of the system and method enable valid signaturegeneration without message signing key reconstruction. In variantsleveraging Shamir's Secret Sharing (SSS) to split the message signingkey, shares generated using SSS can be linearly combined to reconstructthe message signing key as long as t of n shares are available. Thisallows any participant to construct a valid signature as long as t of npartial signatures, generated using the same message (m), but differentmessage signing key shares, are available. For signing protocols thatrequire one or more pieces of additional signing data (e.g., a nonce),the additional signing data can be collectively generated, particularlywhen one or more participants each determine respective additionalsigning data from a respective private key share and/or the message(e.g., by generating the data using a random value, hashing the privatekey share and the message, etc.). Furthermore, when an additionalsigning data itself is split using SSS (e.g., with the same t of nconfiguration), its shards are also linearly combinable with shards ofadditional signing data generated using a different message signing keyshare, such that a partial signature generated using shards frommultiple additional signing data (each generated from a differentmessage signing key share) can be aggregated with other partialsignatures (generated in the same manner) to generate a valid signature.

Additional benefits can be provided by the systems and methods disclosedherein.

3. System.

The signature generation method is preferably performed with a signingsystem 110, but can alternatively be performed with a different system.The signing system 110 preferably functions to facilitate messagesigning. In a first variation, the signing system 110 functions to signmessages (e.g., cryptocurrency transactions). In a second variation, thesigning system 110 functions to coordinate signature generation for amessage. For example, the signing system 110 can function as a shareddata storage, as a state machine coordinator, to verify theauthorization key signatures of the participants requesting or sendingdata, or perform other functionalities. The signing system is preferablyblind (e.g., has no knowledge of, cannot access) the message signing key(private signing key) and/or nonce values, but can alternativelyfunction as a participant or otherwise participate.

The message is preferably a blockchain message, compatible andverifiable with the respective blockchain that the signed message issent to, but can alternatively be a datum or other message. The messagecan be: a transaction message, a governance message (e.g., for staking,delegating, voting, etc.), and/or other message. The message can begenerated by: a platform, a dApp (distributed application), an exchange,a client, and/or any other suitable system. The message can beassociated with a signature verification key PK, an address generatedfrom PK, and/or any other suitable address or message signing keyidentifier.

The signing system 110 is preferably used with a set of keys, which canbe used for authorization or verification, encryption, signing, orotherwise used. Examples of keys used with the signing system 110include: a message signing public key (PK) (signature verification key)used to verify the final signature (e.g., generated from the signingprivate key, paired with the signing private key (sk)); a messagesigning private key (sk); a keygen integrity key (PK_(KG)) orpublic-private keypair (PK_(KG), sk_(KG), respectively), which can beused by participant systems to validate encrypted key shares as beingprovided by a known key generation system (e.g., the Issuer System 111)or process; a server authentication key (AK_(S)) or public-privatekeypair (AK_(S), ak_(S), respectively), wherein AKs can be used byparticipants to verify that they are communicating with the correctmessage signing system 112; a participant authentication key (AK_(Pi))or public-private keypair (AK_(Pi), ak_(Pi), respectively, forparticipant i), wherein the public key AK_(Pi) can be used forauthenticating participant systems with the server and otherparticipants; a participant encryption key (ENK_(Pi)) or public-privatekeypair (ENK_(Pi), enk_(Pi), respectively or ENK_(Pi), enc_(Pi),respectively, for participant i), wherein the public key ENK_(Pi) can beused by other participants to encrypt data to the receiving participant;one or more ephemeral issuer keys (EK_(I)) used to encrypt the shares ofthe signing private key (sk) to each participant system; one or moreparticipant ephemeral keys (EK_(P)) created by the participant systemswhen encrypting data to another participant; and/or other keys.

The message signing key (e.g., public and/or private) can be a key thatconforms to any suitable message signing format or protocol. Examples ofcryptocurrency signature schemes that the signing key and/or resultantsignature can be compatible with include: DSA signature schemes, ECDSAsignature schemes, EdDSA signature schemes (e.g., Ed25519, Ed448, etc.),pairing-based schemes (e.g., BLS), Schnorr, RSA, ring signatures, and/orany other suitable cryptocurrency signature scheme (e.g., public keyalgorithm). When the cryptocurrency signature scheme requires additionalsigning data in addition to the private key and the message (e.g., anonce), the additional signing data is generated. The signing system 110can be compatible with one or more cryptocurrency signature schemes.When the signing system 110 is compatible with a single cryptocurrencysignature scheme, a system can include a different signing system 110implementation for each cryptocurrency signature scheme. In somevariations, the message signing private key is a sequence of randomlygenerated bytes. In some variations, S210 includes fetching 32 bytes ofrandom data from a cryptographically secure random data source.

In some variations, keys PK_(KG), EK_(I), EK_(P) are ephemeral keys. Insome variations, key PK is an Ed25519 key. In some variations, keysPK_(KG), EK_(I), AK_(P), ENK_(P), EK_(P), and AK_(S) are NIST-P256 keys.

In one variation, a platform account (e.g., institution, individual,etc.) can be associated with a participant group including n or moreparticipant key sets (e.g., wherein a participant key set can include:AK_(Pi), ak_(Pi), ENK_(Pi), enk_(Pi) for participant i), held byparticipants affiliated with the platform account (e.g., institutionemployees). The participant group (and/or platform account) can beassociated with one or more message signing keys, wherein t of nparticipants from the participant group can cooperatively sign messagesverifiable to the public message signing key (PK). Each message signingkey can be associated with a keygen integrity key (PK_(KG)), which isassociated with (and/or identifies) the keygen ceremony that generatedthe respective message signing key.

All or a portion of the keys can be generated by: the issuer system, theparticipants, and/or otherwise generated. When all keys are generated bya single system (e.g., issuer system), the keys are preferablydistributed to the participants (e.g., users). The keys are preferablygenerated offline (e.g., in a system isolated from the Internet or othercommunication networks), but can alternatively be generated online. Keydistribution preferably occurs offline (e.g., an HSM with the keys arephysically or manually delivered to the participant), but canalternatively occur online (e.g., transferred over a securecommunication channel). The plaintext version of the keys are preferablydestroyed after key storage, but can alternatively be otherwiseretained. The keys can be generated contemporaneously (e.g., during thesame ceremony), or asynchronously (e.g., during different ceremonies).In a first example, all keys are generated during the same ceremony. Ina second example, the message signing keys for a set of participants aregenerated after the participants' authentication and encryption keys aregenerated. However, the keys can be otherwise generated.

The signing system 110 preferably interfaces with one or more blockchainnetworks (e.g., via one or more blockchain nodes hosted by the signingsystem 110 or a connected system). The blockchain networks arepreferably compatible with the message signing protocol(s) supported bythe signing system 110, but can alternatively be incompatible. Examplesof blockchain networks include UXTO-model protocols (e.g., Bitcoin,etc.); account-model protocols (e.g., Ethereum, ERC20 tokens, such asUSDC, Litecoin, etc.); and/or other protocols.

The signing system 110 preferably includes at least one of: an issuersystem 111; and a message signing system 112. In variants, the messagesigning system 110 can optionally include: an application programminginterface (API) system 113; at least one participant system 114(examples 114 a-c).

In variants, the issuer system 111 functions as a secure key generationsystem (e.g., for generating one or more of a message signing key pairauthentication key pair, encryption key pair, etc.). The issuer systemis preferably a centralized processing system (e.g., a remote computingsystem, a cloud system, a server system, etc.), but can alternatively bea distributed computing system. The issuer system can be an offlinesystem that is secured from public communication networks.

In some variations, the issuer system 111 performs one or more offlinekey generation processes. Additionally, or alternatively, the issuersystem 111 can perform one or more online key generation processes. Insome variations, the issuer system 111 functions to generate a signingprivate key during an offline key generation ceremony. In somevariations, during the key generation ceremony, the issuer system inalso generates a plurality of participant keys. In some variations, theissuer system 111 provides the participant keys to the participantsystems 114 a-c (or to users of the participant systems). Alternatively,the participant keys can be generated before the key generationceremony, wherein the participant keys are provided to the keygeneration ceremony for use.

The issuer system 111 can generate (e.g., in one or more keygenceremonies) one or more of the keys discussed above. Alternatively, thekeys can be generated by a different system. In some variations, theissuer system 111 provides each key AK_(P), ENK_(P) to a respectiveparticipant system (e.g., 114 a-c). In some variations, the issuersystem 111 provides key AKs to the message signing system 112.

In some variations, the message signing system 112 functions tocoordinate and maintain a protocol state and keep track of data that isprovided to participant systems for generation of a signature. Themessage signing system 112 can: identify the participants associatedwith a public signing key (PK), identify the encrypted signing keyshards associated with the public signing key (c_(i)), receive encryptednonce shares from the first quorum of participants, distribute theencrypted nonce shares that are encrypted to a requesting participant,aggregate the partial signatures, sign the message or distribute thepartial signatures to a participant for message signing, authenticateevery message received from a participant, and/or perform otherprocesses. The message signing system is preferably a centralized systemcontrolled by a platform or centralized service, but can alternativelybe a distributed system or other system.

The application programming interface (API) system 113 functions toreceive predetermined calls to the signing system 110, which cansubsequently be sent to and fulfilled by the issuer system, messagesigning system 112, participant system(s) 114, and/or other system.Examples of calls include: key generation requests, message signingrequests, and/or other requests.

The signing system 110 preferably interfaces with a set of participantsystems. Alternatively, the signing system 110 can include theparticipant systems. Each participant system 114 a-c functions toperform at least one process for generating a signature.

A participant system is preferably remote computing devices associatedwith (e.g., controlled by) a participant, but can alternatively be localand/or otherwise related to the signing system 110. Examples ofparticipant systems include: hardware security modules (HSMs), securecryptoprocessor chips, laptops, smartphones, mobile devices, tablets,smartwatches, desktop computers, servers and/or other computing system.The participant system can include including a processing system andmemory (e.g., storing the participant's private keys and otherparticipants' public keys). In some implementations, at least oneparticipant system is a device (e.g., an Internet connected mobiledevice) has a persistent network connection (e.g., to the Internet), andoptionally includes a notification module that functions to receiveasynchronous notifications (e.g., notifications for authorization input,etc.). In some implementations, at least one participant system is adevice with an intermittent network connection (e.g., to the Internet)(e.g., a laptop that is only connected to the network when the laptop ispowered on and not in a sleep mode).

The participants (e.g., users, individual accounts, etc.) are preferablypart of a participant group, wherein the participant set is associatedwith a platform account (e.g., associated with an entity). A givenparticipant can be associated with one or more participant groups.

Each participant system can store a participant key set, which caninclude: a participant authentication key (AK_(Pi), ak_(Pi),respectively, for participant i) and a participant encryption key(ENK_(Pi), enk_(Pi), respectively or ENC_(Pi), enc_(Pi), respectively,for participant i), but can additionally or alternatively be associatedwith other keys. The participant system can optionally store the publickeys for the message signing system (e.g., server, central system), theissuer, and/or other systems.

In some variations, participant systems include participant systemsmanaged by humans and participant systems managed by server(s) of thesigning system no. In some variations, server-managed participantsystems are used to improve security. By using server-managedparticipant systems, humans managing human-managed participant systemsdo not need to be trusted. Users of server-managed participant systemscan prevent an attack where a malicious set of t human participantscollude in an attempt to reconstruct the signing private key. In somevariations, a threshold of human-managed participant systems andserver-managed participant systems are required to be compromised for anattack to be successful.

In some variations, one or more of the components of the system areimplemented as a hardware device (e.g., 500 shown in FIG. 5 ) thatincludes one or more of a processor (e.g., 503 a-n), a display device(e.g., 591), a memory (e.g., 522), a read only memory (ROM) (e.g., 504),a storage device (e.g., 505), an audible output device, an input device(e.g., 581), an output device, and a communication interface (e.g.,511). In some variations, one or more components included in hardwaredevice are communicatively coupled via a bus (e.g., 501). In somevariations, one or more components included in the hardware device arecommunicatively coupled to an external system via the communicationinterface.

Processors can include one or more of a CPU (central processing unit),GPU (graphics processing unit), NPU (neural processing unit), and anyother suitable processing system that functions to executemachine-readable instructions. In variants, at least one of a processorand a memory can be included in a processing unit (e.g., 599).

The communication interface functions to communicate data between thehardware device and another device via a network (e.g., a privatenetwork, a public network, the Internet, and the like).

The storage devices can include machine-executable instructions (andoptionally data) for one or more of an operating system 530,applications 513, and device drivers 514.

In some variations, the storage device includes the machine-executableinstructions for performing at least a portion of the method 200described herein.

In some variations, at least one component of the system performs atleast a portion of the method 200 described herein.

4. Method.

FIGS. 2A-D are flowchart representations of a method 200. In somevariations, the method 200 includes at least one of: generating aprivate key S210; generating signing secrets by using the generatedprivate key S220; and processing a signing request by using the storedsigning secrets S230. In some implementations, at least one component ofthe signing system 110 performs at least a portion of the method 200.All or portions of the method can be performed automatically (e.g.,without user input), manually, in response to user input (e.g., userapproval, user connection of the respective participant system to anetwork, etc.), or otherwise performed.

The method can leverage verifiable secret sharing in one or more stepsof the method. VSS can function to provide a proof (VSS) alongside asecret share (e.g., of the message signing key, of a nonce) that allowsthe recipient to verify it was honestly generated, and that the senderor system generating the proof knew the secret that was shared. Invariants, the VSS can serve as a knowledge of secret key proof (KOSK)that the system generating the proof knows the discrete log of thepublic key it is creating the proof for. In one example, the signingsecret sharing proof is a set of commitments to coefficients of asharing polynomial used to split the message signing key into shares,and is generated with {V_(j)=a_(j)G}_(j ∈ [t]). To verify the proof, theverifier (e.g., receiver) with the share (s_(i))(e.g., of the messagesigning key k_(i) or nonce) checks the equality of the following:

${s_{i}G} = {\sum\limits_{j = 0}^{t - 1}{V_{j} \cdot i^{j}}}$for t participants, and/or verifies that the provided PK equals thefree-coefficient commitment V_(k, o) in

The method can leverage mutual authentication in one or more steps ofthe method. In variants, the receiver and sender (e.g., participants andserver) are able to mutually authenticate each other by signing therequest and response payloads with the respective authentication keys(e.g., with ak_(Pi) or ak_(S), respectively). In a specific example,participants making a request to the server must sign the full payloadwith their participant authentication key, wherein the server mustverify the signature is valid and belongs to a known participant beforeproceeding. In this example, response payloads from the server must besigned with the server authentication key, wherein the participant mustverify the signature is valid and matches the known serverauthentication key before proceeding. Similarly, recipient participantsmust verify that the sending participant's signature is valid beforeproceeding. However, the messages can be otherwise authenticated.

The method can leverage Authenticated Key Exchange (AKE) and/orAuthenticated Encryption with Associated Data (AEAD) in one or moresteps of the method (e.g., for all communication between two parties).This can enable secret data (e.g., nonce, other signing secrets) to beshared with participants such that only the sender and receiver know theplaintext content and can verify the participant who created it. In aspecific example, this can be accomplished by deriving a shared secretwith AKE and encrypting the shared secret with AEAD. However, this canbe otherwise accomplished.

In an example, AKE can include, for sender P_(i) and recipient P_(j):DH1=DH(AK_(Pi),ENK_(Pj))DH2=DH(EK_(Pi),AK_(Pj))DH3=DH(EK_(Pi),ENK_(Pj))secret encryption key=KDF(DH1∥DH2∥DH3)

where secret encryption key is a symmetric key used to encrypt themessage. The recipient can independently derive the secret encryptionkey (e.g., using the same method, with their information), and decryptciphertext received from the sender. In this example, (AK_(Pi), EK_(Pi))can be participant i's authentication key and a random ephemeral key forthe message, respectively, and (AK_(Pi), EK_(Pi)) can be participant j'sauthentication key and encryption key, respectively. DH1, DH2, and DH3can be generically represented as DH(PK1, PK2), where PK1 and PK2 aregeneric placeholders. DH(PK1, PK2) can represent the shared secret froman Elliptic-Curve Diffie-Hellman (ECDH) function between the keys (PK1,sk2) and (PK2, sk1) for (public, private) key pairs (PK1, sk1) and (PK2,sk2) and wherein KDF(k) computes a specified number of output bytes fromHKDF (Hash-based Key Derivation Function) which accepts an arbitrarysized byte sequence as input, and wherein wherein EK_(Pi), is anephemeral key of the sending system. However, any other suitable keyexchange method can be used. Alternatively, one-time keys and/or signedpre-keys can be used. The keys can be static (e.g., not regularlyrotated, which minimizes the number of keys a participant needs to trackand reduces the need to retain large amounts of keys, re-encrypting olddata to new keys, and/or burning previously-encrypted data on rotation),but can alternatively be rotated (e.g., using proactive secret sharingor another method).

When AEAD is used, the ciphertext can include cleartext associated data.The associated data can include the public authentication keys forsimple identification of who the message relates to. The associated datacan optionally include information about the message contents (e.g.,ciphertext type, such as an identifier for a nonce, different identifierfor a signing key, etc.; protocol versioning), and/or other information.For example, the symmetric secret key generated using AKE can be used toencrypt the message: Encrypt (sk, message, AK_(Pi)∥AK_(Pj)).

The method can leverage a distributed signing data generation protocol(e.g., a distributed signature generation protocol, a distributed keygeneration protocol, a distributed nonce generation protocol, etc.) inone or more steps (e.g., additional data generation). This can include:sending shares of secret data (e.g., message signing key, nonce) toother participants, wherein the other participants perform acomputation, shards and encrypts the result to the other n participants,and returns the encrypted shards. For example, this can include havingeach participant generate a nonce and create shares of it to send toother participants.

Throughout the method, cleartext versions of some or all secret data(e.g., message signing key, message signing key shares, nonce, etc.) canbe deleted after encryption or otherwise managed.

Generating a private key S210 functions to generate a message signingprivate key (sk). In a first variation, the issuer system 111 performsS210 (e.g., in a secure, offline key generation ceremony). In a secondvariation, one or more systems perform a distributed key generationprocess (e.g., an on-line process, such as using a threshold signingmethod) to generate the message signing private key. However, themessage signing private key can be generated in any suitable manner.

In some variations, the private key is converted into an expandedprivate key (epk) (S211). In some implementations, the expanded privatekey is an expanded private key of a key pair for an Ed25519 signature.Alternatively, the private key can be a private key of a key pair forany suitable type of signature. In some variations, converting theprivate key into an expanded private key includes hashing the privatekey with SHA512 and extracting the first 32 bytes of the hash output asa digest; and changing some bits of the digest, wherein the changeddigest is the expanded private key. However, keys generated at S210 canconform to any suitable format or protocol.

In some implementations, S210 includes generating a signatureverification key (S212). In some implementations, the signatureverification key is a public key (PK) of a key pair that includes themessage signing private key (sk), and the public key is used to verify asignature generated by using the message signing private key.

In some implementations, the expanded private key (generated at S211) isused to derive the signature verification key (e.g., PK). In someimplementations, deriving the signature verification key includesperforming scalar multiplication on the expanded private key. In someimplementations, the scalar multiplication is performed by using a basepoint according to the following equations: dG=Y, wherein d is theexpanded private key, G is the base point, and Y is the public key (PK).However, the signature verification key can be otherwise generated.

S210 can be performed in response to a key allocation request (e.g., asshown in FIG. 6 ), when key generation is requested, at a predeterminedtime, or at any other suitable time. Each instance of S210 is preferablyperformed for a specific participant group, wherein the participantidentities (e.g., participant key sets) and splitting-reconstructionconfiguration (e.g., t and n for a t of n signing quorum; SSSparameters; etc.) are known before or generated during the keygeneration ceremony. In variations, S210 includes selecting aparticipant group that includes n participants. The participant groupcan be selected at any suitable time (e.g., before or after receiving akey allocation request). In some implementations, a participant group isselected based on one or more of user input, configuration information,or in any suitable manner. In some implementations, a participant groupis identified based on a platform account (e.g., associated with the keyallocation request). However, S210 can be otherwise performed based onany other suitable data.

In some variations, as shown in FIG. 6 , a client system (e.g., externalsystem 104 shown in FIG. 1 ), sends a request to a system (e.g., issuer111, message signing system 112) to allocate a message signing privatekey for a user account associated with the client system (e.g., a coldstorage system). In some implementations, the key allocation request issigned by a private authentication key of the client system (e.g., 104).In some variations, in response, the system associates a message signingprivate key with the client system's authentication public keycorresponding to the authentication private key. In some variations, thesystem can optionally provide the client system with a notification thatthe message signing keys have been assigned to the authentication publickey, provide the client system with the message signing public key,and/or provide any other suitable response. In some variations, furtherrequests to authorize use of the allocated message signing private keyare authenticated by verifying that the request is signed with theclient system's authentication private key. However, any other suitableprocess can be used for key allocation.

The method can optionally include generating communication keys (e.g.,authentication keys, encryption keys, integrity key, etc.) (e.g., atS222, S223, and S224) used to securely provide the signing secrets (andadditional signing data) to participants (via participant systems114-c), and used to securely provide additional signing data and partialsignatures to the message signing message signing system 112. Invariants, the generated communication keys generated are used to providesecure broadcast communication between participant systems, and themessage signing message signing system 112 (and optionally the issuersystem 111). In some implementations, at least a portion of thecommunication keys are generated during generation of signing secretsS220. However, the communication keys can be generated at any suitabletime (e.g., before receiving a message signing request, after receivinga message signing request but before splitting the message signing keyinto shares, after splitting the message signing key into shares, etc.).In some implementations, the issuer system 111 generates at least aportion of the communication keys (e.g., all or some). However, anysuitable system (or combination of systems) can generate thecommunication keys (e.g., at S222, S223, and S224).

The communication keys can be securely distributed to one or more of themessage signing system 112 and participant systems 114 a-c in anysuitable manner. In some variations, at least a portion of the generatedcommunication keys (e.g., private keys or corresponding public/privatekey pairs) are injected into one or more HSM (Hardware Security Module)devices. Such HSM devices can then be communicatively coupled (orelectrically coupled) to a respective participant system (or the messagesigning system 112). Additionally, or alternatively, one or morecommunication keys can be encrypted with an import key to later beimported into the destination system (e.g., participant system, messagesigning system).

In variants, the generating communication keys includes one or more ofgenerating authentication keys, generating encryption keys, andgenerating an integrity key.

In some implementations, generating authentication keys S222 includesgenerating public and private key pairs. In some implementations, S222includes generating a server authentication key pair that includes apublic authentication key (AK_(s)) and a private authentication key(ak_(s)) for the message signing system 112. In some variations, theserver's public authentication key (AK_(s)) and private authenticationkey (ak_(s)) are provided to the message signing system 112. In someimplementations, S222 includes generating a participant authenticationkey pair that includes a public authentication key (AK_(p)) and aprivate authentication key (ak_(p)) for each participant system p (e.g.,114 a-c). In some variations, each authentication key pair that includesthe participant system public authentication key (AK_(p)) and theprivate authentication key (ak_(p)) is provided to the associatedparticipant system p (e.g., 114 a-c).

In some variations, generating participant encryption keys S223 includesgenerating a participant encryption key pair that includes a publicencryption key (ENK_(p)) and a private encryption key (enk_(p)) for eachparticipant system p (e.g., 114 a-c). In some variations, eachparticipant encryption key pair that includes the participant systempublic encryption key (ENK_(p)) and the private encryption key (enk_(p))is provided to the associated participant system p (e.g., 114 a-c).

In some variations, generating an integrity key S224 includes generatinga key generation (keygen) integrity key. In variants, this keygenintegrity key can be used to verify the identify of the system (orsystems) that generate the message signing key (or key shares). In afirst example, the keygen integrity key identifies the issuer system 111as the source of the message signing private key (and key shares). In asecond example, the keygen integrity key identifies participants usedduring a distributed key generation ceremony that for generation of themessage signing private key (and key shares). In variants, the signingsecrets are considered valid if the corresponding ciphertext decryptsusing the keygen integrity key. In some implementations, S224 includesgenerating a key generation integrity key pair that includes a publickeygen integrity key (PK_(KG)) and a private keygen integrity key(sk_(KG)). The keygen integrity key can be generated before or duringthe key generation ceremony (e.g., and used to encrypt the messagesigning key shares during the key generation ceremony), or be generatedafter.

Generating the signing secrets S220 functions to generate signing keyshards, each encrypted to a specific participant. In a first variation,the issuer system 111 performs S220. In a second variation, one or moresystems perform a distributed process (e.g., an online process) togenerate the signing secrets. However, the message signing secrets canbe generated in any suitable manner.

Generating signing secrets can include: splitting the message signingkey S221 and encrypting the shares S225, but can additionally oralternatively include any other suitable process.

S220 can include S221, which functions to split the message signing key.In a first variant, splitting the message signing key includes splittingthe message signing private key (sk) generated at S210. In a secondvariant, splitting the message signing key includes splitting theexpanded private key (epk) generated at S211.

In some variations, the message signing key is split into n shares orshards (k₁, . . . , k_(n)), wherein t of the n shares are required torecover the message signing key. In variants, the number n is apredefined number (e.g., a configurable number, a hardcoded number,etc.). Additionally, or alternatively, the number n can be specified ina key allocation request (e.g., as shown in FIG. 6 ) or otherwisedetermined. The message signing key can be split using Shamir's SecretSharing (SSS) or another secret sharing algorithm. In a specificexample, the Shamir's Secret Sharing process is performed over a finitefield modulo a number (Z_(q)), wherein the modulus is an order (q) ofthe base point (G) of the elliptic curve used to generate the public key(PK). However, the message signing key can be split in any suitablemanner.

In some implementations, S221 includes generating signing secret sharingproof for the message signing key shares. The signing secret sharingproof is a set of data that is used to verify that a message signing keyshare is actually a share of the message signing key. By using thesigning secret sharing proof, a recipient of a signing secret (generatedat S220) can verify that the share is a valid share for the messagesigning private key. The proof is preferably generated using VSS, butcan alternatively be generated using any other suitable proof algorithm.The proof is preferably generated using the message signing key (sk) orthe expanded signing key (epk), but can alternatively be generated usingany other suitable data.

The proof can be generated concurrently, before, or after messagesigning key splitting using the same or different instance of themessage signing key. In one example, the signing key (sk or epk) issplit into t of n shares and VSS proof with ((k₁, . . . , k_(n))V)=VSS(epk, t, n), with the secret signing proof represented as:V={V_(j)=α_(j)G}_(j∈[t]).

In some implementations, the Verifiable Secret Sharing process isperformed over a finite field modulo a number (Z_(q)), wherein themodulus is an order (q) of the base point (G) of the elliptic curve usedto generate the public key (PK). In some implementations, the VerifiableSecret Sharing (VSS) process is a Pedersen's Verifiable Secret Sharingprocess. In some implementations, the Verifiable Secret Sharing (VSS)process is any suitable type of secret sharing process.

In some implementations, the shares (k_(i), . . . , k_(n)) are encodedin big-endian bytes as as s_(i)=y_(i)∥x_(i) where y uses a fixed-bitlength encoding ranging from [0, q) and x is a single byte which rangesfrom [1, n+1], wherein “x∥y” represents the concatenation of bytesequences x and y, and wherein q is the order of the base point (G) ofthe elliptic curve used to generate the public key (PK). However, theshares can be encoded in any suitable manner.

Encrypting the shares S225 functions to encrypt each message signing keyshare to a specific participant. The shares can be encrypted to aparticipant in a 1:1, 1:m, or m:1 shares:participants relationship, orany other suitable relationship. In some variations, encrypting theshares at S225 includes encrypting the shares (k₁, . . . , k_(n))generated at S221 to generate encrypted shares (c₁, . . . , c_(n)). Eachencrypted share c_(i) is preferably encrypted to a different participant(e.g., wherein the participant group includes n participants), but canalternatively be encrypted to a participant shared with anotherencrypted share.

Encrypting the shares S225 can include: identifying a participant toencrypt to, determining the participant key set (or public keys thereof)associated with the identified participant, and encrypting the messagesigning key share using the participant key set.

The participants can be identified in any suitable manner. In someimplementations, participants are identified based on one or more ofconfiguration, hardcoded data, or data received via a key allocationrequest (e.g., the key allocation request shown in FIG. 6 ).

In variants, identifying participants includes identifying participantsystems (e.g., 114 a-c) for each identified participant system.Identifying a participant system can include identifying one or more ofthe following for each participant system: a message signing applicationendpoint identifier (e.g., an application level identifier thatidentifies a process running on a participant system), a physical layernetwork address (e.g., a MAC address), a network layer address (e.g., anIP address), a port number (e.g., a TCP port number), a sessionidentifier, a communication link identifier (for a persistentcommunication link), a security token, a participant identifier (e.g.,user name, login credentials, etc.), an account identifier, and thelike. However, participant systems and participants can otherwise beidentified.

The participant key set can be: retrieved from storage (e.g., localstorage, remote storage), received from the participant, or otherwisedetermined.

In variants, the participant key set includes at least one of aparticipant system public authentication key (AK_(p)) a publicencryption key (ENK_(p)) for each identified participant.

In some implementations, encrypting the shares includes: for each share,encrypting the share to a participant i using the participant's publicauthentication key, the participant's public encryption key, the publickeygen integrity key (PK_(KG)) (e.g., as the sender's authenticationkey) to generate an encrypted private key share (c_(i)). In somevariations, each share is encrypted to a specific participant. In somevariations, each share is encrypted to a specific set of participants,wherein encrypting a share to a set of participants includes encryptingthe share to each participant in the set of m participants (therebygenerating m encrypted versions of the same share). The shares canoptionally be encrypted based on additional information, such as anidentifier for a key share (e.g., ciphertext type), the public key ofthe keygen integrity key, the participant's public authentication key,the signing public key, the VSS proof, and/or any other suitableadditional information. The additional information can optionally beused to verify or identify the encrypted private key share.

In some implementations, encrypting the shares includes: for each share(s_(i)), encrypting the share by using a public authentication key (e.g,PK_(KG)) (e.g., the keygen integrity key) of the sending system sendingthe share (e.g., the issuer system 111), a public authentication key(e.g, AK_(pi)) of the participant receiving the share (e.g., aparticipant p_(i) associated with the share), a public encryption key(e.g., ENK_(pi)) of the participant, and optionally an a publicephemeral encryption key (e.g., EK_(i)) generated by the sending system.In an example, the aforementioned keys are used to generate anencryption key (e.g., a symmetric key) shared between the sending systemand the respective participant. In an example, each share is preferablyencrypted to a specific participant using AKE and AEAD, but can beencrypted in any other suitable manner.

In a specific example, generating an encryption key shared between thesending system and the respective participant includes deriving theencryption key by performing an Elliptic-Curve Diffie-Hellman (ECDH)process by using the public keygen integrity key (PK_(KG)) as the issuersystem 111's public key and by using the public authentication key(AK_(p)) generated for the participant system at S222.

In some implementations, generating an encryption key shared between thesending system and the respective participant is performed as follows:DH1=DH(PK_(KG),ENK_(p))DH2=DH(EK_(I),AK_(p))DH3=DH(EK_(I),ENK_(p))shared encryption key=KDF(DH1∥DH2∥DH3)

In some implementations, PK_(KG), ENK_(P), EK_(I), and AK_(p) are allpublic keys known to both the sending system and the respectiveparticipant, whereas the private keys corresponding to each of PK_(KG),and EK_(I) are known only to the sending system, and the private keyscorresponding to each of ENK_(p), and AK_(p) are known only to theparticipant (and optionally the system that generates the private keyscorresponding to each of ENK_(p), and AK_(p)).

In some implementations, the sending system (e.g., 111) calculates DH1by using ENK_(p) and the private key corresponding to PK_(KG), and theparticipant system for the participant p, calculates DH1 by usingPK_(KG) and the private key of ENK_(p).

In some implementations, the sending system calculates DH2 by usingAK_(p) and the private key corresponding to EK_(I), and the participantsystem for the participant p, calculates DH2 by using EK_(I) and theprivate key of AK_(p).

In some implementations, the sending system calculates DH₃ by usingENK_(p) and the private key corresponding to EK_(I), and the participantsystem for the participant p, calculates DH₃ by using EK_(I) and theprivate key of ENK_(p).

In some implementations, encrypting the shares includes: for each share(k_(i)), encrypting the share k_(i) as described herein to generate theshare ciphertext (c_(i)), and combining the resultant encrypted sharec_(i) with the associated data (e.g., wherein the associated data can beprovided as cleartext). In this variation, the associated data can beincluded as part of the encryption process, or be appended after k_(i)encryption.

In some implementations, encrypting the shares includes: for each share(k_(i)), combining the share k_(i) with associated data, and encryptingthe combined data (as described herein) to generate an encrypted sharec_(i).

In some implementations, encrypting the shares includes: for each share(k_(i)), encrypting the share k_(i) under the shared encryption key(e.g., generated as described herein) to generate an encrypted sharec_(i) (e.g., share ciphertext c_(i)) and combining the encrypted sharewith associated data.

In some implementations, the associated data includes the public keygenintegrity key (PK_(KG)) and the participant's authentication key AK_(p).In some implementations, the associated data includes the signatureverification key PK. In some implementations, the associated dataincludes the signing secret sharing proof (e.g., the VSS proof{circumflex over (V)}generated at S221). In some implementations, theassociated data includes a participant broadcast round identifier thatidentifies the secret share as being broadcast to each participant in atleast a first broadcast round.

In a specific example, the shares (of the private message signing key)can be encrypted using:c _(i)=AES(3DH(PK_(KG),AK_(Pi),ENK_(P1)),k _(i),ciphertexttype∥PK_(KG)∥AK_(Pi)∥PK∥{circumflex over (V)})

However, c_(i) can be otherwise generated.

In variants, the signing secrets generated at S220 (e.g., the encryptedshares c_(i) encrypted at S225, and optionally the associated data) arestored at S226. In some variations, the sending system (e.g., the issuersystem 111) stores the encrypted signing secrets (signing key shareciphertext) (c_(i)) (and optionally the associated data) in associationwith the signature verification key PK generated at S212. Additionallyor alternatively, the signing secret (c_(i)) can be stored inassociation with the respective participant (p_(i)). In some variations,the sending system stores the encrypted signing secrets (c_(i)) at themessage signing system 112, or in storage accessible by the messagesigning system 112. In some variations, the sending system stores theencrypted signing secrets (c_(i)) at a respective participant systemp_(i). The encypted signing secrets (c_(i)) are preferably stored online(e.g., in Internet- or externally-connected storage), but canalternatively be stored offline (e.g., in cold storage, etc.) ingeographically distributed storage, or otherwise stored.

In some variations, the sending system stores information at the messagesigning system 112 that associates a participant system i with aparticular share (c_(i)). For example, each encrypted message signingkey share (c_(i)) can be stored at the message signing system 112 inassociation with the public authentication key AK_(p) associated withthe key share (c_(i)). Additionally, or alternatively, the messagesigning system 112 can store information identifying each participantsystem with the associated message signing key share (c_(i)). However,message signing key shares (c_(i)) can be associated with participantsand/or participant systems 114 a-c in any suitable manner, such thatduring message signing the message signing system 112 can broadcast themessage signing key shares (c_(i)) to the appropriate participantsystems (e.g., during the first broadcast round). In variants, themessage signing system 112 can store information associating an indexwith each participant, such that the message signing system 112 canidentify the index i of a partial signature received from a participantsystem by based on the authenticated identity of the participant systemthat provides the partial signature. For example, if the publicauthentication key AK_(pi) is associated with index i at the messagesigning system 112, and the partial signature (s_(i)) provided byparticipant p_(i) is signed by using the associated privateauthentication key ak_(pi), then the message signing system can identifythe partial signature (s_(i)) as being the i_(th) partial signature, byverifying the signature with the public authentication key AK_(pi).

In variants, the signing secrets (c_(i)) (generated at S220 and storedat S226) can be updated to improve security. For example, to protectagainst a threat that several of the participant systems have beencompromised, the signing secrets can be updated such that anyinformation that an attacker obtains from a compromised system will nolonger be useful for message signing. In some variations, to protectagainst such attacks, the signing secrets can be updated (e.g.,re-encrypted to new participant keys; reconstructed, re-split, andre-encrypted; funds transferred to another PK, etc.). The signingsecrets (c_(i)) can be updated periodically, in response to detection ofa threat, in response to a command, or in response to any suitabletrigger or event.

Updating the signing secrets can include accessing (or restoring) themessage signing private key generated at S210, and re-splitting themessage signing private key into shares as described herein for S221.The shares can be encrypted to a set of participants (as describedherein for S225). The set of participants can be the pervious set ofparticipants. Alternatively, the shares can be encrypted to a differentset of participants (e.g., a set of participants that excludesparticipants that are believed to have been compromised). Onceencrypted, the encrypted updated shares can be stored at the messagingsigning system 112 (as described herein for S226). The old signingsecrets can be deleted at the message signing system 112, deprecated, orotherwise excluded from message signing operations. In this manner, thedata needed to perform message signing can be updated such thatcompromised data can be invalidated, without rotating the messagesigning private key. In this manner, message signing private key canstill be used without being rotated. Alternatively, the signing secrets(c_(i)) can be re-encrypted using new participant keys assigned to theparticipants of the respective participant group. However, the signingsecrets (c_(i)) can be otherwise updated.

In variants, the participants can perform proactive secret sharing toprotect against security threats (e.g., at S240), without requiringaccess to the message signing private key.

In some variations, the issuer system 111 performs at least a portion ofS221-S226. In some variations, the participant's local system (e.g.,user device, HSM, etc.) performs at least a portion of S221-S226.

FIG. 8 is an example of a key generation flow for a single messagesigning key and participant set, in accordance with variations. As shownin FIG. 8 , the expanded private key (esk) is split (S210),authentication keys (S222) and encryption keys (S223) are generated fora plurality of participant systems, the private key shares are encryptedto specific participants (S225), and the encrypted private key sharesare stored (S226). The private key shares can optionally be encrypted to(or otherwise associated with) the key generation ceremony instance viaan integrity key for the key generation ceremony.

Processing a signing request by using the stored signing secrets S230functions to cooperatively generate a signature for a message in adistributed manner. FIG. 7 is a representation of an exemplary signingflow, in accordance with variations. FIG. 9 is a representation of amessage signing flow for a single message, using a single split (orsharded) message signing key, in accordance with variations.

As shown in FIG. 11 , processing the signing request S230 can includeone or more of: receiving a signing request for a message S231;accessing stored signing secrets S232; providing the respective signingsecret to each of a set of participant systems S233; accessingadditional signing data (e.g., nonce shares) generated by otherparticipants S234; generating a signature based on the additionalsigning data (e.g., encrypted to the receiving participant) S235, andproviding the generated signature S236.

Additionally or alternatively, processing the signing request S230 caninclude: optionally receiving a signing notification; requesting themessage and the encrypted signing secrets encrypted to the participant;decrypting the encrypted signing secret S310; optionally verifying thevalidity of the signing secret and aborting if validation fails S320;generating additional signing data S330; splitting the additionalsigning data into additional signing data shares S340; encrypting eachadditional signing data share to a different participant (e.g., of theparticipant group) S350; and storing the additional signing data sharesS360 (e.g., at the message signing system 112) as shown in FIG. 3 .Processing the signing request S230 can additionally or alternativelyinclude: after a first quorum of additional signing data has beenreached, at a participant system of the participant group: accessing theparticipant's the encrypted signing secret c_(i) (S410); decrypting theparticipant's encrypted signing secret c_(i) (S420); verifying thevalidity of the signing secret (aborting if validation fails) (S430);accessing the additional signing data shares b_(ij) encrypted to theparticipant system p_(j) by the one or more other participant systemsp_(i) (S440); decrypting each encrypted additional signing data shareb_(ij) (S450); aggregating the decrypted additional signing data shares(e.g., nonce_(ij)) (S460); generating a partial signature by using thedecrypted additional signing data shares (nonce_(ij)) (S470); andoptionally providing the partial signature (e.g., to the message signingsystem 112) (S480), as shown in FIG. 4 , wherein a threshold number ofpartial signatures are aggregated into a valid signature in S235.

However, the signing request can be otherwise processed. All or aportion of S230 can be performed by the message signing system 112(e.g., S231-236), a participant system (e.g., S310-S360, S410-S480),and/or any other suitable system.

Receiving the signing request S231 functions to receive a request tosign a message (m). The signing request can be received by the messagesigning system 112, a participant system 114, and/or any other suitablesystem. The signing request can be received from an external system(e.g., 104) via the API system 113, from a client of the message signingsystem 112, be generated by the message signing system 112, or receivedfrom any other suitable endpoint. The external system can be a digitalwallet, a cold storage computing system (CSS), or any suitable type ofsystem. The signing request can include or identify: a message m to besigned, the signature verification key (PK) (e.g., such that the requestis a request for a signed message that can be verified by the signatureverification key (PK)), the blockchain that the message should be sentto, an expiration time, other metadata (e.g., message source, messagegeneration time, etc.), and/or any other suitable information.

S232 functions to access stored encrypted signing secrets (c_(i)) thatare associated with the signing request. In some implementations, themessage signing system 112 stores signing secrets for a single signatureverification key PK, and all signing secrets stored by the messagesigning system 112 are associated with the single verification key PK.In some implementations, the message signing system 112 stores signingsecrets for a plurality of signature verification keys (PK), the signingsystem 112 stores signing secrets in association with a respectiveverification key PK; accessing the stored signing secrets includesaccessing the signing secrets stored in association with a signatureverification key PK identified in the signing request.

S232 functions to access signing secrets for the signing requestreceived at S231. In some variations, each signing secret c_(i) isencrypted to a participant p_(i), and for each signing secret c_(i) theserver stores participant information for the related participant system(e.g., 114 a-c) with the signing secret c_(i). In some implementations,the message signing system 112 uses the stored participant informationto provide each signing secret c_(i) to the participant system of therespective participant p_(i).

In some variations, S233 includes, for each signing secret correspondingto the signing request, providing the signing secret c_(i) to respectiveparticipant system p_(i) along with the signature verification key PKand the message m associated with the signing request. In someimplementations, the message signing system 112 provides each signingsecret c_(i) to the respective participant system in a payload signedwith the server's private authentication key (ak_(s)) (generated atS222). In some implementations, providing the signing secrets to theparticipant systems at S233 is a first broadcast round (e.g., signinground) in the signing process that includes a plurality of broadcastcommunication rounds for sending data from the message signing system tothe participant systems.

In some variations, the signing secret sharing proof (e.g., VSS proof)for the signing secret is provided to the participant system along withthe signing secret. In some variations, the additional information forthe signing secret is provided to the participant system along with thesigning secret. In some variations, the index i for the signing secretis provided to the participant system along with the signing secret.

Participant systems 114 a receiving signing secrets at S233 can include:participant systems managed by humans, and participant systems managedby server(s) of the signing system 110 (e.g., server participants;system servers functioning as participants and holding participantauthentication keys and/or participant encryption keys; etc.), and/orparticipant systems managed by any other suitable entity or system. Theserver participants can be: centralized, distributed, or otherwiserelated. In some variations, a total number of human-managed participantsystems (h) is selected; a minimum number of required human-managedparticipant systems (q) is selected (wherein h>=q); a number ofserver-managed participant systems (s) is calculated based on h and q; aminimum number of shares (t) to reconstruct the message signing privatekey is calculated based on q and s; and the total number of shares (n)is calculated based on h and s.

In some variations, s is calculated as follows: s=h−q+1.

In some variations, t is calculated as follows: t=q+s.

In some variations, n is calculated as follows: n=h+s.

However, s, t, and n can be otherwise determined. Variants of the systemand method using server participants can automatically determine: thenumber of server participants, shares required to reconstruct, and thetotal number of shares required (e.g., based on the number of humanparticipants and user-specified or automatically determined quorum); andcan optionally automatically split the message signing key (e.g., inS220) and/or generate authentication and encryption keys for the humanand server participants based on the automatically determined valuesabove.

S234 functions to access additional signing data generated by at least tof n participants. The additional signing data is preferably datarelated to a nonce (e.g., a nonce share), but can alternatively berelated to a cryptographic seed or any other suitable additional signingdata required by the signing protocol. In variants, one or moreparticipant systems generates a portion of the additional signing data(e.g., an additional signing share) by using information sent to theparticipants by the message signing system 112 in the current broadcastround (e.g., the encrypted share c_(i), the decrypted share s_(i), thesignature verification key, the key share secret sharing proof, themessage to be signed, etc.). Participant systems can generate theadditional signing data in response to user input (e.g., inputidentifying user authorization), or automatically (without requiringuser input to authorize generation of the additional data).

In some variations, a participant system for participant p_(i) generatesadditional signing data (e.g., a nonce share) by using the signingsecret c_(i), signature verification key PK, and the message m providedby the server 111 at S233. In variants, a random nonce seed is also usedto generate the additional signing data. Any set of t of n participantscan perform nonce generation.

In some implementations, a participant system for participant p_(i)generates additional signing data by using a signed payload receivedfrom the message signing system 112. The signed payload is signed by themessage signing system's private authentication key (ak_(s)) (generatedat S222) and includes the signing secret c_(i), signature verificationkey PK, and the message m (and optionally the additional informationand/or a key share secret sharing proof). In some implementations, theparticipant system for p_(i) verifies that the payload's signature isvalid by using the server's public authentication key (AK_(s))(generated at S222). If the signature is invalid, p_(i) aborts themessage signing process.

Generating the additional signing data can include at least one of, by aparticipant system p_(i): decrypting the encrypted signing secret c_(i)(S310); optionally verifying the validity of the signing secret(aborting if validation fails) (S320); generating additional signingdata (S330); splitting the additional signing data into additionalsigning data shares (S340); encrypting the additional signing datashares (S350); and storing the additional signing data shares (S360), asshown in FIG. 3 . However, additional signing data can be otherwisedetermined. In some implementations, storing the additional signing datashares (S360) includes storing the encrypted nonce shares b_(ij) at themessage signing system 112. In some variations, steps S310-S360 areperformed by a participant system 114. This process is preferablyperformed by at least t participant systems (e.g., concurrently, withina predetermined time threshold), but can alternatively be performed byless. However, S310-S360 can otherwise be performed.

Decrypting a signing secret S310 with a participant system form caninclude decrypting the encrypted signing secret by using the privateauthentication key (ak_(pi)) for the public authentication key (AK_(pi))associated with the encrypted signing secret (e.g., identified by theassociated data for the signing secret). In variants, participant systemfor p_(i) uses one or more of the participant Pi's private signing key(enk_(pi)), the public keygen integrity key PK_(KG), and/or a publicissuer ephemeral key (EK_(i)) to decrypt the encrypted signing secret.

Decrypting a signing secret S310 can include deriving the sharedencryption key used at step S225 (e.g., using AKE) and using the derivedencryption key to decrypt the signing secret. In some variations, thedecrypted signing secret includes a message signing key share generatedat S221. In some variations, S310 includes accessing the key sharesecret sharing proof generated at S221, and using the key share secretsharing proof to verify the decrypted signing secret (e.g., to verifythat the share is in fact a share of the message signing private key).In some variations, the decrypted signing secret includes the additionalinformation for the signing secret.

In some variations, deriving the shared encryption key includes:calculating DH1 by using PK_(KG) (stored in a trusted data sourceaccessible to the participant system) and the private key of ENK_(p)(which is securely stored for the participant system); calculating DH2by using EK_(I) (stored in a trusted data source accessible to theparticipant system) and the private key of AK_(p) (which is securelystored for the participant system); calculating DH3 by using EK_(I) andthe private key of ENK_(p); generating a byte sequence by concatenatingDH1∥DH2∥DH3; and deriving the encryption key as a result ofKDF(DH1∥DH2∥DH3).

In some variations, key share secret sharing proof is a VSS proof, andverifying the validity of the signing secret (S320) includes verifyingthe VSS proof (V={V_(j)=a_(j)G}_(j∈[t])={a₀G, a₁G . . . , a_(t-1)G}) forthe decrypted signing secret. In some variations, each Vj of the VSSproof is a commitment value, and each a_(j), is the j-th coefficient ofthe sharing polynomial used for splitting the message signing key intoshares and G is the base point of the elliptic curve used to generatethe signature verification key. In some variations, verifying thevalidity includes verifying the signing secret k_(i) by checking theequality for j ∈ [t]:k _(i) G=Σ _(j=0) ^(t-1) V _(j) ·i ^(j)=(a ₀ G·i ⁰)+(a ₁ G·i ¹)+ . . .+(a _(t-1) G·i ^(t-1))

, wherein values for a₀G, a₁G . . . , a_(t-1)G are provided by the VSSproof, and wherein i is the index of the signing secret that isassociated with the participant system (e.g., by information stored atthe message signing system 112, and optionally provided by the messagesigning system 112 to the participant system). In some variations,verifying the validity includes verifying that the signatureverification key PK equals the free-coefficient commitment V_(j,o) in V_(j).

In a first variation, generating additional signing data (S330)includes: generating a random number (e.g., a nonce).

In a second variation, generating additional signing data (S330)includes: generating the data by performing a distributed key generationprocess.

In a third variation, generating additional signing data (S330)includes: generating the additional signing data based on the signingsecret k_(i) and/or the signing secret with additional info. In aspecific example, the additional signing data is generated by:generating a random nonce seed (e.g., a 32-bit nonce seed, generatedusing r_(i) ←^($){0, 1}³²), and calculating the nonce:r _(i)=HKDF(signing secret∥nonce seed,broadcast round identifier∥PK∥m)

wherein the broadcast round identifier (e.g., “2”) can be different fromthe message signing key broadcast round identifier (e.g., “1’). Invariants, the broadcast round identifier identifies the broadcast roundin which the generated additional signing data is broadcasted from themessage signing system to other participant systems.

In some variations, generating additional signing data (S330) includes:generating a nonce public key pair that includes a generated nonce and anonce public key R. In some implementations, generating the nonce publickey R includes performing scalar multiplication of the nonce nonce bythe base point G used to generate the signature verification key (atS212) (e.g., R=nonceG).

In some variations, generating additional signing data (S330) includes:generating a random number, and multiplying the random number by one oftwo challenges to produce a nonce.

In some variations, a subset of participants (of the set ofparticipants) each generate a different additional signing data (e.g.,based on the decrypted key share k_(i), based on the message m, etc.),wherein the respective additional signing data share (r_(i)) isencrypted to each participant (p_(j)) of the set of participants togenerate an encrypted additional signing data share (b_(j))) for eachparticipant of the set of participants (b₁, . . . , b_(n)), associatedwith the respective additional signing data share. In variants, theadditional signing data is generated based on a secure distributed keygeneration protocol (e.g., such that the additional signing datagenerated by different participants within the same participant set arerelated), but can be generated using any other suitable method. Theadditional signing data can be: randomly generated, generated using aMonte Carlo method (e.g., LDS method), deterministically generated, orotherwise generated.

In some variations, the additional signing data (e.g., r_(i)) is splitinto shares (e.g., nonce shares). The additional signing data ispreferably split using the same t of n configuration as that used formessage signing key splitting (e.g., wherein the splitting configurationcan be predetermined or sent to the participants), but can be otherwisesplit. For example, splitting the additional signing data into shares(S340) includes splitting the additional signing data into n shares(e.g., nonce_(i), . . . , nonce_(n)), wherein t of the n shares arerequired to recover the message signing key (as described herein forS221). In some variations, splitting the additional signing data intoshares (S340) includes generating a signing secret sharing proof thatcan be used to verify that the shares are in fact shares of theadditional signing data. In variants, the proof is a VSS proof generatedby a VSS process used to split the additional signing data into n shares(nonce_(i), . . . , nonce_(n)) (as described above, such as for S221).

In some variations, encrypting the additional signing data shares (S350)includes: for each participant system for a participant P_(i),encrypting the associated additional signing data share (e.g.,nonce_(j)) to participant P_(j). In some implementations, encrypting theshares includes: for each share (p_(i)), encrypting the share by using apublic authentication key (e.g., AK_(Pi)) of the sending system sendingthe share (e.g., participant P_(i)), a public authentication key (e.g.,AK_(Pj)) of the participant receiving the share, a public encryption key(e.g., ENK_(Pj)) of the receiving participant, and optionally a publicephemeral encryption key (e.g., EK_(Pi)) generated by the sendingparticipant P_(i). In an example, the aforementioned keys are used togenerate an encryption key (e.g., a symmetric key) shared between thesending participant and the respective participant.

In some implementations, encrypting the shares includes: for each share(p_(i)), encrypting the share by using a shared encryption key. In somevariations, the participant system P_(i) generating the additionalsigning data share derives a shared encryption key for encrypting thedata to a participant system P_(j) by: calculating DH1 by using theprivate key of AK_(pi) (the authentication key of participant systemP_(i)) and ENK_(pj) (the public encryption key for participant systemP_(j)); calculating DH2 by using the private key of EK_(pi) (theephemeral key for participant system P_(i)) and AK_(pj) (theauthentication key of participant system P_(j)); calculating DH₃ byusing the private key of EK_(pi) and ENK_(pj); generating a bytesequence by concatenating DH1∥DH2∥DH₃; and deriving the encryption keyas a result of KDF(DH1∥DH2∥DH₃).

In some implementations, encrypting the additional signing data sharesincludes: for each share (e.g., nonce_(i)), encrypting the share (e.g.,nonce_(i)) with the shared encryption key (e.g., generated at S350), andcombining the resultant encrypted share b_(j) with the associated data(e.g., wherein the associated data can be provided as cleartext). Inthis variation, the associated data can be included as part of theencryption process, or be appended after encryption.

In some implementations, encrypting the additional signing data sharesincludes: for each additional signing data share (e.g., nonce_(i)),combining the share (e.g., nonce_(j)) with associated data, andencrypting the combined data under the shared encryption key (e.g.,generated at S350) to generate an encrypted share b_(j).

In some implementations, encrypting the shares includes: for each share(e.g., nonce_(i)), encrypting the (e.g., nonce_(j)) under the sharedencryption key (e.g., generated at S350) to generate an encrypted shareb_(j), and combining the encrypted share with associated data.

The associated data can include: the ciphertext type (e.g., nonce),AK_(pi) (the authentication key of participant system P_(i)) and AK_(pj)(the authentication key of participant system P_(j)), the signatureverification key PK, the message m, the signing secret sharing proofgenerated at S340, and/or any other suitable information.

Each encrypted share b_(ij) is generated by the participant system p_(i)for each participant system p_(j). In one example, the encrypted nonceshare is generated using:b _(ij)=AES(3DH(AK_(Pi),AK_(Pj),EK_(Pj)),r_(ij),2∥AK_(Pi)∥AK_(Pj)∥PK∥m∥{circumflex over (V)})

In some implementations, storing the additional signing data shares(S360) includes storing the encrypted additional signing data sharesb_(ij) at the message signing system 112 (e.g., sending the additionalsigning data shares b_(i1) . . . b_(in) to the message signing system112 for storage). All shares are preferably uploaded (e.g., includingthe share encrypted to the generating participant (b_(ii));alternatively, only shares encrypted to other participants are uploaded.

In some implementations, the server S112 stores each encrypted nonceshares b_(ij) in association with the corresponding message m andsignature verification key PK.

In some implementations, S360 includes the participant system p_(i)signing a payload that includes the additional signing data shares, thesigned payload being signed by the participant system's privateauthentication key (ak_(pi)) (generated at S222). In someimplementations, the message signing system 112 verifies that thepayload's signature is valid by using the participant system p_(i)'spublic authentication key (AK_(pi)) (generated at S222).

In some implementations, after accessing (and optionally authenticating)additional signing data shares generated by a threshold number (e.g., t,quorum) of participants (at S234 shown in FIG. 2D), a broadcast roundbegins (e.g., second broadcast round).

Reverting to FIG. 2D, generating a signature S235 functions to generatea signature for the signing request (received at S231) by using thestored signing secrets.

In some variations, the signature is an Ed25519 signature. In someimplementations, the signature is a signature in accordance with anEdDSA signature scheme. In some implementations, the signature isparameterized to SHA-512 and Curve 25519. However, the signature can beany suitable type of signature, including, but not limited to, aBoneh-Lynn-Shacham (BLS) signature, a Schnorr signature, and the like.

In some variations, S235 includes two or more participant systemsproducing partial signatures for the message identified in the signingrequest. In some implementations, since the message signing private keyis split into n shares, t of which are needed for signing, at least tparticipant systems must produce partial signatures. The set ofparticipant systems that provide partial signatures for the messagesigning can be a different set of participant systems that generate anonce at S330.

In a first variation, generating partial signatures is performed after afirst broadcast round (e.g., a first round in which the encryptedsigning secrets are broadcasted by the message signing system to eachparticipant system). In a second variation, generating partialsignatures is performed after two or more broadcast rounds. In eachbroadcast round prior to the partial signature generation round, one ormore participant systems receive data from the message signing system112, generates data (e.g., using the data provided by the messagesigning system 112 in the current round, or in previous rounds), andprovided the data generated by the participant system in that round tothe message signing system. This data can then be broadcasted by themessage signing system 112 to all the other participant systems in thesignature generation round, or in a further data generation round. Invariants, the number of rounds can be based on security constraints,signature protocol requirements, usability constraints, efficiencyconstraints, and network connectivity constraints, and any othersuitable type of constraint.

In some variations, S235 includes the message signing system 112initiating a second broadcast round by providing to each participantsystem p_(i): the message to be signed m; the signature verification key(PK); their respective encrypted signing secret c_(i) and the encryptedadditional signing data shares b_(ij) encrypted to the participant p_(i)(by the participant system for p_(i) and each of the other participantsp_(j)). Alternatively, the second broadcast round can be initiated by aparticipant or another system. In some implementations, at S235 themessage signing system 112 provides the message m, the signatureverification key (PK), and their respective encrypted signing secretc_(i) to the participant system for p_(i) in a payload signed by themessage signing system's private authentication key (ak_(s)) (generatedat S222). In some implementations, each participant system verifies thatthe payload's signature is valid by using the server's publicauthentication key (AK_(s)) (generated at S222) (S410 shown in FIG. 4 ).In some variations, the encrypted additional signing data shares b_(ij)are included in the signed payload.

In some variations, generation of a partial signature by a participantsystem for p_(i) can be performed in response to user input (e.g., inputidentifying user authorization), or automatically (without requiringuser input to authorize generation of the a partial signature).

In some variations, generation of a partial signature by a participantsystem for p_(i) includes at least one of: accessing the participant'sthe encrypted signing secret c_(i) (S410); decrypting the participant'sthe encrypted signing secret c_(i) (S420); verifying the validity of thesigning secret (aborting if validation fails) (S430); accessing theadditional signing data shares b_(ij) encrypted to the participantsystem p_(i) by the participant system p_(i) and each of the otherparticipants p_(j) (S440); decrypting each encrypted additional signingdata share b_(ij) (S450); aggregating the decrypted additional signingdata shares (e.g., nonce_(ij)) (S460); generating a partial signature byusing the decrypted additional signing data shares (nonce_(ij)) (S470);and providing the partial signature (e.g., to the message signing system112) (S480), as shown in FIG. 4 . In some variations, steps S410-S480are performed by a participant system 114. This process is preferablyperformed by at least t participant systems (e.g., concurrently, withina predetermined time threshold), but can alternatively be performed byless. The t participant systems generating the partial signatures can bethe same as or different from the participant systems generating thenonce.

Decrypting the participant's encrypted signing secret c_(i) (S420)includes decrypting the encrypted signing secret c_(i) (e.g., using AKE;as described herein for S310; etc.).

Verifying the validity of the signing secret (aborting if validationfails) (S430) includes: verifying the validity of the signing secret(e.g., using VSS; as described herein for S320; etc.).

Accessing the additional signing data shares b_(ij) encrypted to theparticipant system P_(i) by the participant system P_(j) (S440)functions to fetch at least t additional signing data shares (e.g.,nonce share ciphertexts, encrypted nonce shares), each generated by adifferent participant (e.g., inclusive or exclusive of the instantaneousparticipant P_(i)). The additional signing data shares can be retrievedfrom the message signing system 112, from the other participants, and/orany other suitable source. The additional signing data shares can beretrieved or received: after signing secret validation; in response to arequest to the message signing system; with the encrypted signingsecret; and/or at any other suitable time.

Decrypting each encrypted additional signing data share b_(ij) (S450)with a participant system for P_(i) includes decrypting the encryptedadditional signing data share by using the private authentication key(ak_(pi)) for the public authentication key (AK_(pi)) associated withthe encrypted signing secret (e.g., identified by the associated datafor the signing secret). The participant system for P_(i) canadditionally or alternatively use one or more of the participant P_(i)'sprivate encryption key (enk_(Pi)), the public authentication key(AK_(Pj)) associated with the participant generating the encrypted data,and a public participant ephemeral key (EK_(j)) (associated with theparticipant generating the encrypted data) to decrypt the encrypted dataat S450.

Decrypting additional signing data share b_(ij) can include deriving theshared encryption key used at step S350 and using the derived encryptionkey to decrypt the encrypted additional signing data share b_(ij). Theshared encryption key can be derived based on b_(ij)'s associated data(e.g., ciphertext type, AK_(sender), AK_(recipient), PK, m, proof,etc.), and/or other data.

In some variations, the encrypted additional signing data share b_(ij)includes the additional signing data share (e.g., nonce_(ij)) generatedat S340. In some variations, the signing secret sharing proof generatedat S340 is provided with the encrypted additional signing data shareb_(ij).

In some variations, deriving the shared encryption key used at S350includes: calculating DH1 by using AK_(pj) (the public authenticationkey of participant system p_(j)) and the private key of ENK_(pi) (theencryption key of the participant system p_(i)); calculating DH2 byusing EK_(pj) (the public ephemeral key of the participant system p_(j))and the private key of AK_(pi) (the authentication key of theparticipant system p_(i)); calculating DH3 by using EK_(pj) and theprivate key of ENK_(pi); generating a byte sequence by concatenatingDH1∥DH2∥DH3; and deriving the shared encryption key as a result ofKDF(DH1∥DH2∥DH3).

In some variations, S450 includes, for each additional signing datashare (e.g., nonce_(ij)), verifying the validity of the additionalsigning data share by verifying the signing secret sharing proofincluded along side the decrypted nonce. This is preferably performedafter additional signing data share decryption, but can alternativelyoccur before. In variants, the signing secret sharing proof is a VSSproof (V={V_(k)=a_(k)G}_(k∈[t])={a₀G, a₁G . . . , a_(t-1)G}). In someimplementations, each Vk of the VSS proof is a commitment value, andeach a_(k), is the k-th coefficient of the sharing polynomial used forsplitting the additional signing data (e.g., nonce_(j)) into shares(nonce_(ij)) and G is the base point of the elliptic curve used togenerate the nonce public key. In some variations, verifying thevalidity includes verifying the additional signing data share bychecking the equality for k ∈ [t]:nonce_(ij) G=Σ _(k=0) ^(t-1) V _(k) ·i ^(k)=(a ₀ G·i ⁰)+(a ₁ G·i ¹)+ . .. +(a _(t-1) G·i ^(t-1))

, wherein values for a₀G, a₁G . . . , a_(t-1)G are provided by the VSSproof, and wherein i is the index of the additional signing data share(e.g., nonce_(j)) that is associated with the participant system (e.g.,by information stored at the message signing system 112, and optionallyprovided by the message signing system 112 to the participant system).Verifying the validity can optionally include verifying that there areno duplicate VSS proofs.

In some variations, verifying the validity includes the participantsystem P_(i) verifying that t additional signing data shares (e.g., tnonce share ciphertexts) have been provided to the participant systemP_(i).

In some variations, verifying the validity includes verifying that thereare no two additional signing data shares have the same sender publicauthentication key (AK_(pj)) (e.g., each share should be from adifferent participant system, and if authentication informationindicates that one participant system generated two or more of thereceive nonce shares, then the process should be aborted).

In some variations, verifying the validity includes verifying that alladditional signing data shares have the participant system's publicauthentication key (AK_(pi)) as the recipient authentication key(meaning that all received additional signing data shares were intendedfor the participant system p_(i)).

In some variations, if any verification step fails, the process isaborted. On the other hand, if verification is successful, the verifiedand decrypted additional signing data shares (one from a differentparticipant system) are aggregated at S460.

Aggregating the decrypted additional signing data shares (e.g.,nonce_(ji)) (S460) functions to generate an aggregated additionalsigning datum for partial signing. The aggregated additional signingdatum is preferably specific to P_(i), but can alternatively be sharedbetween participants. The aggregated additional signing datum ispreferably different from the additional signing data generated in S330,but can alternatively be the same. Aggregating the additional signingdata shares (e.g., decrypted nonce shares) can include calculating theaggregated signing data shares according to:{circumflex over (p)}=Σ _(j=0) ^(t-1) p _(j)(mod q)

where {circumflex over (p)}_(i) is the aggregated additional signingdatum for P_(i) (e.g., aggregated nonce), and p_(j) is the additionalsigning data share from each P_(j) that was encrypted to P_(i). However,the aggregated additional signing datum can be otherwise determined.

Aggregating the decrypted additional signing data shares can optionallyinclude aggregating the public keys of the additional signing datashares. In one example, this includes aggregating the nonce share publickeys R. In a specific example, R can be determined using:R=Σ _(j=0) ^(t-1) R _(j)

where Rj is the public key for the additional signing data share fromeach P_(j). In a specific example, S460 can output the tuple (k_(i),{circumflex over (p)}_(i), R, PK), which can be used for partialsignature generation.

Generating the partial signature S470 functions to generate pieces ofthe signature that are invalid in isolation but become valid under PK(e.g., for m) once a threshold of partial signatures (e.g., t partialsignatures) are combined. S470 is preferably performed by participantsystem p_(i), but can be generated by other systems. The partialsignature is preferably generated based on the aggregated additionalsigning datum (e.g., the aggregated nonce), the public aggregatedadditional signing data key (R), PK, the message, the decrypted signingsecret (e.g., decrypted signing key share k_(i)), and/or other data. Thepartial signature is preferably generated after the aggregatedadditional signing datum is generated (e.g., immediately after, after adelay), but can alternatively be generated: after the other participantshave generated their respective aggregated additional signing datum,after a predetermined event occurrence, and/or at any suitable time. Ina specific example, each participant P_(i) within the second participantset (e.g., each participant of t participants, part of the secondquorum, part of the second broadcast round) calculatess_(i):={circumflex over (p)}_(i)+SHA512(R∥PK∥m)·k_(i)(mod q), wherein qis the order of the base point G used to generate the signatureverification key PK, and determines the partial signature asσ_(i):=R∥s_(i), wherein the partial signature (s_(i)) can be uploaded tothe message signing system 112 with an identifier for P_(j). However,the partial signatures can be otherwise generated.

In variants, several broadcast rounds are performed to generate asignature, and in each round the message signing system 112 broadcastsinformation to each participant system. In some implementations, afterat least a predetermined number (e.g., t, the number of partialsignatures required to generate a signature) of participants returnadditional signing data to the message signing system 112, the messagesigning system initiates another broadcast round (e.g., to receivefurther additional signing data from the participant systems, or toreceive partial signatures from the participant systems). In someimplementations, additional signing data generated in at least one ofthe broadcast rounds is used to generate the partial signatures.

In variants, the participant system p_(i) generates a partial signatureS470 by signing the message (to be signed) by using the signing secretdecrypted at S310 and the aggregated additional signing data shares(e.g., nonce shares nonce_(ji))

At S480, the participant system P_(i) provides the generated partialsignature to the message signing system 112. In variants, theparticipant system P_(i) provides the partial signature in a signedpayload that is signed by the participant system's privateauthentication key (ak_(pi)) (generated at S222). In someimplementations, the message signing system 112 verifies that thepayload's signature is valid by using the participant system P_(i)'spublic authentication key (AK_(pi)) (generated at S222). In somevariations, the signed payload also includes the aggregated nonce publickey R.

Generating a signature based on the additional signing data S235functions to generate a valid signature out of the partial signatures.S235 can include aggregating the t partial signatures received from theparticipant systems, which functions to generate a signature thatverifies under signing public key PK. S235 can be performed by themessage signing system 112 (e.g., wherein the message signing system 235receives partial signatures from t participant systems), by aparticipant system, and/or any other system. In some variations,aggregating the t partial signatures includes aggregating the partialsignatures together as Shamir Shares. In some variations, the messagesigning system 112 stores information associating each message signingkey share index i with a participant system, and the key share index iis used to aggregate the partial signatures using the Shamir Sharingreconstruction process as shown below:

$s = {{\sum\limits_{i = 0}^{t - 1}s_{i}} = {{\prod\limits_{{j = 0}, \neq}^{t - 1}\frac{x_{j}}{x_{j} - x_{i}}} = {r + {c \cdot {sk}}}}}$

In some variations, the aggregate partial signature s, along with noncepubkey R, is a valid signature for the public key PK. In somevariations, the message signing system 112 verifies the signature (R, s)with message m and PK and verifies that the nonce value R has not beenpreviously used. Prior to aggregation, the message signing system 112can optionally verify that each partial signature uses the same R value.

S236 functions to provide the generated signature (and/or signedmessage) to at least one system (e.g., the external system 104, ablockchain network associated with the message, etc.) as a response tothe signing request.

In variants, the method 200 includes performing proactive secret sharingS240 to improve security (e.g., as shown in FIG. 10 ). In somevariations, performing proactive secret sharing includes eachparticipant updating the additional signing data shares generated by theparticipant and replacing the existing additional signing data shares(stored at the message signing system 112) with the updated shares.

In variants, the message signing system 112 initiates proactive secretsharing by sending each participant system a request to update theiradditional signing data shares S241. The update request can be signed byusing the authentication private key of the message signing system.

In some variations, in response to the update request, a participantsystem (e.g., 114 a-c) splits a zero (0) value into n shares (zero-valueshares), encrypts the zero-value shares to each of the participants, andstores the zero-value shares at the message signing system 112 (S242).In some implementations, the zero values are split as described hereinfor S340, encrypted as described herein for S350, and stored asdescribed herein for S360.

In response to the zero-value shares from at least a threshold number ofparticipants (e.g., t participants), the message signing system 112provides each participant system with the encrypted additional signingdata shares and the encrypted zero-value shares (from each participant)at S243.

The encrypted zero-value shares and the encrypted additional signingdata shares are decrypted, as described herein for S450. Each zero-valueshare is matched with a corresponding additional signing data share(e.g., according to the participant that generated the share), and thetwo shares are combined (e.g., added) S244. The combined shares areencrypted to each of the participants S245, and stored at the messagesigning system 112 S246. In some implementations, combined shares areencrypted as described herein for S350, and stored as described hereinfor S360. In some implementations, the message signing system 112replaces the old additional signing data shares with the encryptedcombined shares S247. Since valid aggregated zero-value shares sum tozero, the aggregated value of the updated additional signing data sharesdoes not change. However, if a malicious system does not have zero-valueshares, then the malicious system will not be able to produce a validpartial signature (e.g., a partial signature that can be combined withother partial signatures to form a valid full signature).

However, proactive secret sharing can otherwise be performed.

Embodiments of the system and/or method can include every combinationand permutation of the various system components and the various methodprocesses, wherein one or more instances of the method and/or processesdescribed herein can be performed asynchronously (e.g., sequentially),concurrently (e.g., in parallel), or in any other suitable order byand/or using one or more instances of the systems, elements, and/orentities described herein.

As a person skilled in the art will recognize from the previous detaileddescription and from the figures and claims, modifications and changescan be made to the preferred embodiments of the invention withoutdeparting from the scope of this invention defined in the followingclaims.

We claim:
 1. A distributed cryptographic signing method, comprising,with a message signing system: receiving a message associated with apublic signing key; facilitating collective generation of a set of nonceshares by using participant systems for each participant in a first setof message signing participants, wherein each participant system for aparticipant in the first set: generates a nonce seed, generates a noncebased on: the generated nonce seed, the message, the public signing key,and a respective share of a private signing key associated with thepublic signing key, splits the nonce into nonce shares, and encryptseach nonce share to a respective message signing participant;facilitating collective generation of a signature for the message byusing participant systems for each participant in a second set ofmessage signing participants, wherein each participant system for aparticipant in the second set generates a partial signature based onnonce shares that are encrypted to the participant, wherein the messagesigning system generates the signature by aggregating the partialsignatures; and generating a signed message by appending the signatureto the message.
 2. The method of claim 1, wherein the message signingsystem facilitates collective generation of the signature in response toreceiving nonce shares from a threshold number of participant systems.3. The method of claim 1, further comprising: with the message signingsystem: identifying a set of public key message signing participantsthat are associated with the public signing key, wherein the set ofpublic key message signing participants includes the first set and thesecond set; and accessing shares of the private signing key for eachmessage signing participant in the identified set of public key messagesigning participants.
 4. The method of claim 3, wherein each share ofthe private signing key is encrypted to a respective one of the messagesigning participants in the identified set of public key message signingparticipants.
 5. The method of claim 3, wherein facilitating collectivegeneration of a set of nonce shares comprises: securely providing to aparticipant system for each message signing participant in theidentified set of public key message signing participants: the message,the public signing key, and the respective share of the private signingkey; and securely receiving from each participant system of the firstset of message signing participants: a nonce share for each messagesigning participant in the identified set of public key message signingparticipants.
 6. The method of claim 5, wherein facilitating collectivegeneration of a signature for the message comprises: securely providingto the participant system for each message signing participant in theidentified set of public key message signing participants: therespective nonce shares that are provided by the participant systems ofthe first set; and securely receiving from each participant system ofthe second set of message signing participants: the partial signaturegenerated by the participant system, wherein the message signing systemgenerates the signature for the message in response to receiving apartial signature from a threshold number of participant systems.
 7. Themethod of claim 3, wherein facilitating collective generation of a setof nonce shares comprises: securely providing to a participant systemfor each message signing participant in the identified set of public keymessage signing participants: the message, the public signing key, therespective share of the private signing key, and a proof for the shareof the private signing key; and securely receiving from each participantsystem of the first set of message signing participants: a nonce sharefor each message signing participant in the identified set of public keymessage signing participants, and a nonce share proof for each nonceshare.
 8. The method of claim 7, wherein facilitating collectivegeneration of a signature for the message comprises: securely providingto the participant system for each message signing participant in theidentified set of public key message signing participants: therespective nonce shares and nonce share proofs that are provided by theparticipant systems of the first set; and securely receiving from eachparticipant system of the second set of message signing participants:the partial signature generated by the participant system, wherein themessage signing system generates the signature for the message inresponse to receiving a partial signature from a threshold number ofparticipant systems.
 9. The method of claim 1, further comprising, themessage signing system receiving the shares of the private signing keyfrom a secure key generation system that is external to the messagesigning system and the participant systems.
 10. The method of claim 9,further comprising, the message signing system receiving proofs for theshares of the private signing key from the secure key generation system,wherein each proof is a Verifiable Secret Sharing (VSS) proof.
 11. Themethod of claim 1, wherein each participant system for each participantin the first set of message signing participants randomly generates therespective nonce seed.
 12. The method of claim 1, further comprising:with the message signing system: receiving, from at least a thresholdnumber of participant systems, updated versions of the nonce shares thathave been generated by a proactive secret sharing process.
 13. Themethod of claim 1, wherein at least one participant system is a mobiledevice with a persistent connection to a public communication network.14. The method of claim 1, wherein the message signing system receivesthe nonce shares and the partial signatures in response to at least oneauthorization input received from a participant via a user interface.15. The method of claim 1, wherein the signature is an ED25519signature.
 16. The method of claim 1, wherein the signature is one of aBoneh-Lynn-Shacham (BLS) signature, and a Schnorr signature.
 17. Adistributed cryptographic signing system, comprising, a message signingsystem; and a plurality of message signing participant systems, whereinthe message signing system comprises memory storing machine-executableinstructions that, when executed by the message signing system, controlthe message signing system to: receive a message associated with apublic signing key; facilitate collective generation of a set of nonceshares by using message signing participant systems for each participantin a first set of message signing participants, wherein each participantsystem for a participant in the first set: generates a nonce seed,generates a nonce based on: the generated nonce seed, the message, thepublic signing key, and a respective share of a private signing keyassociated with the public signing key, splits the nonce into nonceshares, and encrypts each nonce share to a respective message signingparticipant; facilitate collective generation of a signature for themessage by using message signing participant systems for eachparticipant in a second set of message signing participants, whereineach participant system for a participant in the second set generates apartial signature based on nonce shares that are encrypted to theparticipant, wherein the message signing system generates the signatureby aggregating the partial signatures; and generate a signed message byappending the signature to the message.
 18. The system of claim 17,further comprising a secure key generation system that is constructed togenerate the shares of the private signing key associated with thepublic signing key.
 19. The system of claim 17, wherein the messagesigning system comprises machine-executable instructions that, whenexecuted by the message signing system, control the message signingsystem to: identify a set of public key message signing participantsthat are associated with the public signing key, wherein the set ofpublic key message signing participants includes the first set and thesecond set; and access shares of the private signing key for eachmessage signing participant in the identified set of public key messagesigning participants.
 20. The system of claim 17, wherein the messagesigning system is constructed to facilitate collective generation of thesignature in response to receiving nonce shares from threshold number ofparticipant systems.